Ethical Hacking News
A critical flaw in React and Next.js libraries has led to widespread exploitation by China-linked threat actors, highlighting the need for organizations to address this issue promptly. The React2Shell vulnerability allows remote code execution without authentication or authorization, posing a significant threat to businesses worldwide.
The Critical React2Shell vulnerability (CVE-2025-55182) allows for remote code execution without authentication or authorization, posing a significant threat to organizations worldwide. The vulnerability is an insecure deserialization vulnerability in the React Server Components (RSC) 'Flight' protocol, enabling attackers to execute arbitrary JavaScript code on the server's context. A related vulnerability exists in the next.js framework (CVE-2025-66478), but no unified patch is currently available due to a duplicate CVE issue. 39% of cloud environments are susceptible to React2Shell attacks, highlighting the severity of this issue, according to a study by Wiz researchers. Threat actors linked to China started exploiting the vulnerability just hours after its public disclosure on December 3, 2025. The attackers used automated scans and manual testing to exploit the vulnerability, demonstrating active debugging and refinement of their techniques. Security patches have been released by React and Next.js, but the ease of exploitation makes it crucial for organizations to review server configurations and apply patches promptly. An asset scanner tool is available on GitHub to help mitigate this risk. Experts emphasize the importance of breaking down IAM silos to prevent such security incidents in the future.
Amazon Web Services (AWS) has recently issued a report detailing the rapid exploitation of the Critical React2Shell vulnerability, which was made public just hours prior. This highly critical flaw in the React and Next.js libraries allows for remote code execution without authentication or authorization, posing a significant threat to organizations worldwide.
The React2Shell vulnerability (CVE-2025-55182) is an insecure deserialization vulnerability in the React Server Components (RSC) 'Flight' protocol. As such, it enables attackers to execute arbitrary JavaScript code on the server's context. This means that even without authentication or authorization, an attacker can exploit this flaw to gain control over a server and potentially access sensitive data.
The next.js framework also contains a related vulnerability (CVE-2025-66478), but due to a tracking number rejection in the National Vulnerability Database's CVE list as a duplicate of CVE-2025-55182, there is currently no unified patch available for both issues. However, several proof-of-concept (PoC) exploits have already been published, increasing the likelihood of related threat activity.
The React2Shell vulnerability affects multiple versions of the widely used library and potentially exposes thousands of dependent projects to this attack. A study conducted by Wiz researchers has shown that 39% of cloud environments they observed are susceptible to React2Shell attacks, highlighting the severity of this issue.
Following the public disclosure of CVE-2025-55182 on December 3, 2025, threat actors linked to China started exploiting this flaw just hours later. A report from AWS notes that multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda, actively exploited React2Shell almost immediately after its disclosure.
These attackers used a mix of public exploits, along with manual testing and real-time troubleshooting against targeted environments. The observed activity includes repeated attempts with different payloads, Linux command execution (whoami, id), and efforts to create files (/tmp/pwned.txt) and read '/etc/passwd/.'
This behavior from the threat actors demonstrates that they are not only running automated scans but also actively debugging and refining their exploitation techniques against live targets. The fact that these attackers were able to exploit this vulnerability so quickly after its public disclosure underscores the need for organizations to address this issue as soon as possible.
Several security patches have been released by React and Next.js, but due to the triviality of the flaw, attackers can exploit it even without authentication or authorization in the default configuration. This makes it crucial for organizations to review their server configurations and apply any available patches promptly.
To help mitigate this risk, an asset scanner tool has been released on GitHub that can be used to determine if an environment is vulnerable to React2Shell attacks.
Furthermore, experts are emphasizing the importance of break down IAM silos to prevent such security incidents from happening in the future. The impact of broken IAM practices does not stop at IT; it ripples across a whole business. Therefore, organizations must consider why traditional IAM practices fail to keep up with modern demands and how they can build more scalable strategies.
In conclusion, the rapid exploitation of the React2Shell vulnerability highlights the need for proactive measures by organizations worldwide. While several patches are now available, it is crucial that these be applied as soon as possible due to the ease of exploitation without authentication or authorization in the default configuration.
Related Information:
https://www.ethicalhackingnews.com/articles/Critical-React2Shell-Flaw-Leads-to-Widespread-Exploitation-by-China-Linked-Threat-Actors-ehn.shtml
https://www.bleepingcomputer.com/news/security/react2shell-critical-flaw-actively-exploited-in-china-linked-attacks/
https://nvd.nist.gov/vuln/detail/CVE-2025-55182
https://www.cvedetails.com/cve/CVE-2025-55182/
https://nvd.nist.gov/vuln/detail/CVE-2025-66478
https://www.cvedetails.com/cve/CVE-2025-66478/
Published: Fri Dec 5 08:32:40 2025 by llama3.2 3B Q4_K_M
